Tag Archives: Computer Security Institute

About 3736 days ago Antivirus Software

There’s a Virus Going Around

Note: This is the first in a series of technology updates by former Inc. senior writer Anne Stuart. Future columns will explore topics such as “spam,” videoconferencing, cell phone messaging, and smart business use of online auctions. Slammer. Klez. Bugbear. Bubbleboy. Lirva. Those sound like names for characters in kids’ cartoons, but they’re neither funny nor harmless. They’re computer viruses. And they’re increasingly common. Over the past decade, virus-writers worldwide have created and released about 80,000 viruses, worms, Trojan horses and other “malware” programs, according to Graham Cluley, senior technology consultant for antivirus software vendor Sophos Inc. (www.sophos.com) And about 600 to 800 new variations crop up every month, although, typically, only a few cause widespread or serious headaches. What exactly is a virus? It’s tiny, malicious software program designed purely to disrupt or damage computers. What exactly do viruses do? Some simply display odd messages or images. Many — including the famous Melissa virus — perpetuate themselves by sending infected messages to everyone in a user’s e-mail address book. Others gobble memory or storage space, making systems sluggish. Some corrupt files — for instance, changing spreadsheets or chewing up text documents — or erase them entirely. Some alter Web pages. Some reformat hard drives, block user access, or cause systems to freeze. A few disable security measures or open secret “holes” into computer networks, providing hackers with easy access. Like their biological counterparts, computer viruses can spread fast, attack systems silently, and cause a great deal of pain. In January 2003, the SQL Slammer worm circled the globe in less than an hour, infecting 75,000 computers in 10 minutes. Slammer, which paralyzed computers running Microsoft SQL Server 2000, temporarily shut down South Korea’s telephone system, knocked out thousands of Bank of America automatic-teller machines, and slowed credit-card transactions worldwide. How much financial damage can viruses cause? It’s tough to find reliable numbers about the costs of virus attacks because some effects — for instance, decreased productivity and unrealized business opportunity — are tough to quantify. In addition, many companies simply won’t share information about security-related losses. Following are several ways you can prevent or minimize the impact of virus attacks in your business: Install antivirus software on every computer. That includes laptops and PCs in remote offices. Encourage employees to use antivirus programs at home as well, especially if they use their own computers to connect to your network. In addition, consider protecting e-mail gateways with software that automatically blocks all incoming messages carrying executable code — but keep in mind that those filters may also capture legitimate business communications with harmless attachments as well. Keep antivirus programs current. With new viruses popping up regularly, it’s critical to make sure you’ve got the latest protection. Most leading solutions can be set to periodically update themselves online; you can also do the job manually to respond to new threats. Launch a company-wide prevention campaign. State-of-the-art security measures won’t protect your company unless everyone uses them. A single employee can unintentionally infect the entire network by opening a booby-trapped e-mail attachment or installing contaminated software. Make sure everybody knows and follows these basic virus-prevention procedures: Always delete junk e-mail messages — ads, jokes, chain letters — without opening them. More than 85 % of viruses infect businesses via e-mail, according to the International Computer Security Association’s (www.icsa.net) annual Virus Prevalence Survey released in March 2003. Never open e-mail attachments from strangers. And even those from people you know should be scanned with software that might spot viruses forwarded unintentionally. Be selective about downloading and installing software. Know the source and scan the files before running any new program. Get knowledgeable about pranks and hoaxes. Phony virus alerts waste almost as much time as the real thing. When you get a forwarded e-mail message breathlessly proclaiming some new threat, check it out at Vmyths (www.vmyths.com) or on other virus information sites before responding. Regularly update Microsoft products. Many viruses attempt to exploit vulnerabilities in Windows, Outlook, Internet Explorer, and other products by the giant software empire. Microsoft’s security page (www.microsoft.com/security/) provides alerts, “patches,” and advice for both home and business users. Back up. Back up. Back up. At work, store files on both PC and network hard drives. At home and on the road, copy important files to CDs or floppies. Begin backing up entire systems nightly or weekly, perhaps storing an extra copy of critical information offsite. Look into Web-based storage services such as Connected Corp. (www.connected.com), Easyspace’s Easyarchive (www.easyspace.com/services/easyarchive.html), and Elephant Backup (www.elephantbackup.com). The computer-virus universe changes constantly, with, according to some estimates, about 20 new viruses surfacing every day. You can’t vaccinate your computers against all of them. But with vigilance and commonsense caution, you can strengthen your company’s electronic immune system, making it much more likely to survive an attack. Glossary Antivirus Program: Software that detects and removes viruses from computer hard drives. Such programs must be updated regularly to add profiles for the thousands of new viruses that appear every year; updating can often be handled quickly online. Trojan (or Trojan Horse): A malicious program in disguise, named for the giant wooden gift horse the Greeks used to conquer their Trojan enemies. Trojans appear benign, entertaining, or even useful, but actually conceal viruses that can harm systems. Backdoor.BO (also called Back Orifice) is among the best-known examples. Virus: A malicious software program used to deliberately infect a computer system. Typically, viruses are concealed in existing programs and activated when those programs are executed. Viruses often cause damage by replicating themselves, causing systems to crash, or by attacking or attaching themselves to other programs. Stealth viruses remain hidden or change themselves after executing so that they can’t be detected. Well-known viruses include Melissa and Bubbleboy. Worm: A type of virus that replicates itself and gobbles up computer memory but cannot attach itself to other programs. Well-known worms include Klez.H, LoveLetter (sometimes called “IloveYou”), Bugbear, and Lovgate. Further Reading The following books, all available from Amazon (www.amazon.com) and other booksellers, offer generally easy-to-understand information about computer viruses: Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans, by Douglas Schweitzer (John Wiley & Sons, 2002). Offers sound, practical, comprehensive advice from a security expert. Updates provided on a companion Web site. Malicious Mobile Code: Virus Protection for Windows, by Roger A. Grimes (O’Reilly & Associates, 2001). Focuses on defensive strategies. Viruses Revealed, by David Harley, Robert Slade, and Urs E. Gattiker (McGraw-Hill/ Osborne Media, 2001). Explains what viruses are, how they work, where they come from, how to prevent them, and how to deal with them. Includes case studies. Also available as a downloadable, searchable e-book. Resources The following Web sites provide comprehensive information about viruses, worms, and similar threats: About.com Antivirus Software Guide antivirus.about.com/index.htm?terms=computer+virus News, glossary, encyclopedia of hoaxes, links to vendors and other resources. CERT Coordination Center, Carnegie Mellon University www.cert.org/ A wealth of information on all aspects of computer security at work and at home. CNET Virus Alert Center www.cnet.com/software/0-7760531-8-6319437-1.html News on current threats, advice on PC protection, links to free resources, and antivirus software vendors. Computer Security Institute www.gocsi.com Major membership organization for technology-security professionals; Web site contains articles, reports, and links to additional resources about viruses and other security issues. International Computer Security Association (ICSA) Labs www.icsa.net Independent arm of security vendor TruSecure Corp. (www.trusecure.com) offers “vendor-agnostic” testing and research. Web site contains constantly updated virus alerts, white papers, studies, an annual Virus Prevalence Survey, and more. National Institutes of Standards and TechnologyComputer Security Resource Center Virus Page csrc.nist.gov/virus/ Information, links to other resources and antivirus software vendors. Sophos Inc. www.sophos.com/safecomputing Safe-computing advice for both network administrators and individual users. Virus Bulletin www.virusbtn.com Independent antivirus advice, news, profiles, and resources. Vmyths http://www.vmyths.com Supersite for information on virus myths and hoaxes. Vendors Following is a sampling of major antivirus software vendors whose offerings include products, services, and information targeted to small and growing companies: Command Software Systems Inc. www.commandsoftware.com Founded 1984; now part of Authentium Inc. Offers antivirus software for home users, large companies, and small businesses. Web site’s Virus Center includes news, alerts, a glossary, research, e-mail newsletters, and other information. Computer Associates International Inc. www.ca.com Founded 1976. Offers antivirus software for businesses. Web site’s Virus Information Center contains alerts, encyclopedia, and an extensive glossary. McAfee Security www.mcafee.com/ Founded 1989. Offers antivirus and security solutions for home users, large companies, and small and growing businesses. Network Associates Inc., McAfee’s parent company, provides free virus alerts, updates, update on hoaxes, and other information. Panda Software Inc. www.pandasoftware.com Founded 1990. Offers antivirus software for home users, large companies, and small and growing businesses. Web site includes Virus Information Center with virus encyclopedia (including “Top 5″ current threats), hoax updates, tips, and other resources. Sophos Inc. www.sophos.com Founded 1986. Offers antivirus software for companies of all sizes. Web site includes a rich collection of analyses, articles, updates on hoaxes, and alerts, including monthly “Top 10″ virus list. Symantec Corp. www.symantec.com Founded 1982. Offers firewalls, antivirus software, and other security solutions for home users, large companies, and small and growing businesses. Web site provides free virus alerts, library of virus information. Customers can download anti-virus updates from home page. Provides updates on hoaxes. Trend Micro Inc. www.trendmicro.com Founded 1988. Offers network antivirus software and other security products and services. Web site includes virus advisories, encyclopedia, prevention tips, and additional information. Also offers a free online cost-analysis calculator for determining potential financial impact of virus attacks. Send feedback, column ideas, and tech tips to annestuartinc@yahoo.com.

About 4160 days ago Data Security

Creating a Cyberdefense

E-Strategies Worried that terrorists might attack U.S. computer systems next? A few simple precautions will go a long way toward protecting your company. Even before last September’s terrorist attacks, the law firm of Lewis and Roca LLP was hypercautious about safeguarding its sensitive digital documents. In fact, compared with other small companies in the law firm’s home city of Phoenix and other law firms nationwide, Lewis and Roca seemed not just security-conscious but, well, a tad security-paranoid. For instance, accessing the firm’s sophisticated client extranet had always required using a tool that constantly generated new personal-access numbers. And the firm’s network automatically logged off users whose keyboards were idle for more than 60 minutes. But that was before September 11. Afterward, like their counterparts at other businesses nationwide, Lewis and Roca executives worried even more about the possibility of unseen intruders infiltrating their computer systems. So the 51-year-old firm, which also maintains branch offices in Tucson and Las Vegas, immediately had an in-house team focus more closely on reviewing the firm’s entire data-protection arsenal. The law firm’s biggest priority, of course, is protecting the physical safety of its 350 employees, says chief operating officer Robert S. McCormick. To that end, Lewis and Roca has increased surveillance and security in all its buildings. But shielding its confidential records from theft, damage, or deletion also remains what McCormick calls a top “ethical and legal responsibility.” Lewis and Roca is far from alone in reconsidering its whole spectrum of data security. And under the circumstances, the firm is hardly overreacting. “Right now I don’t think it’s possible to be too worried” about safeguarding records, says Weston Nicolls, a former National Security Agency executive who is chief information security officer at Telenisus Corp., a provider of managed Internet infrastructure services based in Chicago. Nicolls’s concerns are shared by Michael A. Vatis, director of the Institute for Security Technology Studies at Dartmouth College. In a report released just after September 11, Vatis warned that attacks on U.S. computers were “extremely likely” as part of larger, coordinated terrorist actions launched in retaliation for U.S. military strikes. Federal officials apparently agree. Three days after the September terrorist attacks, the FBI’s National Infrastructure Protection Center issued a formal advisory warning of possible vigilante activity online. A few weeks later, the Bush administration appointed longtime White House counterterrorism coordinator Richard Clarke to the newly created job of cyberspace security adviser. Clarke has repeatedly warned Congress and U.S. businesses about the potential for a “digital Pearl Harbor” in which distant assailants would invade and damage the country’s computer networks and telecommunications systems. The good news is that there were no reports of widespread cyberterrorism in the weeks immediately following the suicide hijackings. But as the Dartmouth report points out, previous political conflicts — for instance, clashes between India and Pakistan — have led to “cyberattacks” in those countries. So as U.S. military action continues overseas, Americans need to be highly alert for a possible new wave of virtual warfare, with both distant and domestic hackers trying to deface or crash Web sites, disseminate computer viruses, and break into vulnerable networks to steal, corrupt, or delete information. Osama bin Laden’s shadowy, computer-literate followers aren’t the only potential assailants. “Even more likely are cyberattacks by sympathizers of the terrorists, hackers with general anti-U.S. or anti-allied sentiments, and thrill seekers lacking any political motivation,” the Dartmouth report warns. In other words, companies should consider cyberterrorism not just possible but probable. They should also prepare accordingly, just as a California company might plan its response to an earthquake or a power failure and an East Coast business might protect its systems and data against a likely blizzard or hurricane. That means taking stock now to determine what’s sufficiently safeguarded and what’s still vulnerable — and having an IT staffer or outsourcer make corrections immediately. “Once you’re attacked is not the time to think about how to respond,” says Mark Schertler, vice-president of networking and security services at Primitive Logic Inc., a consulting firm in Sausalito, Calif. “You should have a recovery plan in place. You should have discrete and diverse service providers so that if one gets attacked, you can still operate. And if you’re relying on the Internet for revenue, you should have redundant sources to connect to it.” What’s the minimum computer protection for small businesses? For starters, virus-scanning programs. Self-installed software that detects and stops both viruses and worms can cost as little as $100. Once the software is installed, companies should assign someone to update the protection programs at least once a week — but preferably daily — to protect against the latest nasty attack. “It’s like an arms race,” says Schertler. “New viruses are coming out all the time.” A second must-have: a firewall, or shield, between the company’s internal systems and the Internet, to prevent unauthorized intrusions. The cost for that ranges from less than $50 for a home-based business to thousands of dollars for large companies with many remote users and massive amounts of confidential or valuable information. Next, companies of all sizes should regularly back up all systems. Small companies may be able to get by with weekly backups; businesses of, say, $10 million or more in annual revenues should invest in technology that will take a data snapshot daily. Both should stash the stored data off-site. (Nicolls of Telenisus suggests using a bank vault.) Every company should also make plans to run its networks from another location if necessary. Growing companies may also want to invest in a virtual private network (VPN), which provides far-flung employees, business partners, customers, and vendors with a secure tunnel into a business’s internal computer system. They should also add security software to their road warriors’ portable equipment, such as laptops and personal digital assistants. (See ” Laptop Insecurity,” Inc, March 15, 2001.) Users of Microsoft’s Windows operating system may want to consider upgrading to the new Windows XP operating system for its built-in firewall, enhanced virus protection, and capability for encrypting files both on the desktop and in transit over the Internet. For businesses of all sizes, Primitive Logic’s Schertler, who like Nicolls is a former NSA official, recommends two other security precautions that together cost precisely nothing. First, require employees to use “strong passwords,” made-up phrases that would-be intruders can’t guess or decipher, by running programs that automatically test passwords with common words or names. “Mix up letters and symbols to create something you wouldn’t find in a dictionary,” says Schertler, something like “drB613Jzx.” Second, assign someone on staff to act as your in-house point person for software-vendor updates. That way, your company will get regular reminders about such things as upgrades and patches, which crop up over time. Some security breaches, particularly those on Web sites, happen simply because nobody has the responsibility for retrieving the remedy for a security hole. Lewis and Roca already had many of those precautions in place. But after the terrorist attacks, the firm looked even harder for potential weak spots. Its in-house security team renewed its interest in how the firm controlled access to its systems, including its public Web site and client extranet. Team members also reviewed the firm’s virus-scanning capability, as well as its plans for preserving digital records during a natural — or terrorist-caused — disaster. In direct response to the World Trade Center attack, they even researched ways to salvage paper records. “The pictures of legal documents floating through the streets of lower Manhattan made us aware that recovery of electronic data alone may not be sufficient,” says chief operating officer McCormick. “We may want to consider technologies that will provide us with electronic images of our paper documents and files.” At the same time, the law firm, like many other small businesses, realizes its security-improvement process will never be finished. “It’s fluid, it’s evolving,” McCormick says. “We’re learning new things day by day as the situation changes.” In fact, on the day McCormick made those comments, his firm had just launched a new security initiative to investigate ways to monitor incoming mail for evidence of explosives, anthrax spores, or other potentially deadly materials. The firm also advised employees about ways to protect and preserve data on their own home computers, as well as ways to secure office E-mail and voice mail. Yet despite widespread concern about cyberterrorism, the FBI’s data indicate that most security problems originate within a company’s walls, either by accident or by design. For that reason, experts also recommend that companies monitor their networks for unauthorized remote access, set alarms to indicate large deletions of files, and remove ex-employees’ access to computer, E-mail, and even voice-mail systems as soon as they’re out the door. As security expert Nicolls puts it, “Unfortunately, people can still screw up the very best technology you can buy.” Anne Stuart is a senior writer at Inc. Computer and Internet Security Resources COMPUTER SECURITY WARNINGS AND ADVISORIES FBI’s National Infrastructure Protection Center www.nipc.gov CERT Coordination Center, Carnegie Mellon University (Funded by U.S. Department of Defense) www.cert.org The System Administration, Networking, and Security Institute www.sans.org COMPUTER SECURITY INFORMATION AND TRAINING Computer Security Institute www.gocsi.com FREE TIPS ON PREVENTING SECURITY PROBLEMS AND CYBERTERRORISM ATTACKS Telenisus Corp. www.telenisus.com REPORT PREDICTING CYBERATTACKS DURING THE U.S. WAR ON TERRORISM The Institute for Security Technology Studies, Dartmouth College www.ists.dartmouth.edu/ISTS/counterterrorism/cyber_attacks.htm Hands On 48 Hours: How do you eliminate bureaucratic bottlenecks? Siamak Farah, CEO of InfoStreet, a $1.8-million developer of corporate intranets in Tarzana, Calif., wants his 15 staffers to take initiatives and run with them — as opposed to waiting for a manager’s approval. So in early 2000 he inaugurated “the 48-hour rule.” “If an employee comes up with an idea or proposal and submits it to his or her superior, the superior has two working days to respond,” he explains. If a manager doesn’t respond within 48 hours, then the employee can proceed under the assumption that the manager has granted approval. Farah says the rule has “done wonders” for decision making and initiative taking. And what if, perchance, a manager is away for two days? Nothing changes. Absentees must delegate the decision making to a second-in-command. –Ilan Mochari The Whole New Business Catalog Inc Query: How Do I Get to the Next Level? Best of the Net: B-School Brains Creating a Cyberdefense Stop the Net, I Want to Get Off Let’s Make A Deal The Unkindest Cut of All Please e-mail your comments to editors@inc.com.